Spiral Toys, a company that makes connected CloudPets teddy bears, had mistakenly left its clients’ sensitive data and messages exposed online for at least two weeks. This leak left more than 800,000 customer credentials, and two million message recordings exposed to malicious activities by hackers.
Motherboard reports that Spiral Toys left CloudPets data unencrypted without any protection of a firewall or even a password since Christmas last year, till at least the first week of January. This public data was found by two researchers, one being Troy Hunt, who claims that cybercriminals found this database, and tried to overwrite it twice. Cybercriminals were actively looking for exposed MongoDB databases in the beginning of January to delete their data and hold it for ransom.
Spiral Toys has been completely mum about the breach, and is looking to file for bankruptcy as their stock value is around zero, the report says. This breach again puts the spotlight on the importance of security on IoT devices. Most IoT devices are not secure by default, and manufacturers need to make privacy and security a priority, and release all IoT devices with default security measures moving forward.
“It only takes one little mistake on behalf of the data custodian […] and every single piece of data they hold on you and your family can be in the public domain in mere minutes. If you’re fine with your kids’ recordings ending up in unexpected places then so be it, but that’s the assumption you have to work on because there’s a very real chance it’ll happen,” Hunt wrote in his blog post.
The CloudPets teddy bear essentially allowed family members to send voice messages to their kids via the teddy bear using an app. The kid could also record messages as a reply and send it to their parents who could hear it on the app. While the product seems innocent, the customers’ credentials and conversations were not kept in a safe place, and were available for everyone to hear and exploit. We recommend severe caution in using such IoT devices in the future.
A similar potential IoT product breach led to the German authorities banning it altogether. The Internet-connected doll called My Friend Cayla could chat with children, and the authorities warned that it was a de facto “spying device”. Parents were urged to disable the interactive toy by the Federal Network Agency which enforces bans on surveillance devices. The authorities warned that the doll could record or transmit anything a child says, or other people’s conversations, without parents’ knowledge.